feat: serverless 2.0.0 architecture with Authentik auth proxy
Implements a complete serverless development container platform:
## Architecture
- Authentik forward auth for authentication/authorization
- NGINX routing proxy extracts GitHub repo from URL path
- Knative Service auto-scales dev container instances from 0
- Dynamic GitHub repo routing via /github/{owner}/{repo}
## Components
- routing-proxy: NGINX-based service for repo extraction and forwarding
- deployment.yaml: Complete K8s manifests (proxy, Knative, ingress, secrets)
- authentik-config.yaml: Authentik application and provider configs
- serverless scripts: Dynamic repo initialization and startup handling
- Comprehensive documentation and Makefile for ops
## Key Features
- Scale to zero when not in use (cost-effective)
- Per-request isolation (each repo gets own container)
- Built-in file manager for upload/download
- Support for private repos via GitHub tokens
- User attribution via Authentik headers
- WebSocket support for VNC connections
Example usage: https://devcontainer.farh.net/github/microsoft/vscode
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
This commit is contained in:
DevContainer User
@@ -0,0 +1,168 @@
|
||||
# Authentik configuration for DevContainer serverless auth
|
||||
# This assumes Authentik is already deployed in the 'authentik' namespace
|
||||
|
||||
---
|
||||
# Application definition for DevContainer Serverless
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: authentik-devcontainer-app-config
|
||||
namespace: authentik
|
||||
data:
|
||||
# This will be applied via Authentik API or web interface
|
||||
application.yaml: |
|
||||
name: DevContainer Serverless
|
||||
slug: devcontainer-serverless
|
||||
provider: devcontainer-forward-auth-provider
|
||||
launch_url: https://devcontainer.farh.net/
|
||||
open_in_new_tab: true
|
||||
meta_description: "Serverless development containers with dynamic GitHub repository routing"
|
||||
meta_publisher: "DevContainer Team"
|
||||
policy_engine_mode: "all"
|
||||
group: "Development Tools"
|
||||
|
||||
---
|
||||
# Forward Auth Provider configuration
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: authentik-devcontainer-provider-config
|
||||
namespace: authentik
|
||||
data:
|
||||
provider.yaml: |
|
||||
name: devcontainer-forward-auth-provider
|
||||
authorization_flow: default-authorization-flow # Use your default flow
|
||||
external_host: https://devcontainer.farh.net
|
||||
|
||||
# Advanced settings
|
||||
token_validity: hours=24 # Long-lived sessions for dev work
|
||||
|
||||
# Headers to forward to the application
|
||||
# These will be available as HTTP_* environment variables in containers
|
||||
property_mappings:
|
||||
- "authentik_core.x-authentik-username"
|
||||
- "authentik_core.x-authentik-email"
|
||||
- "authentik_core.x-authentik-name"
|
||||
- "authentik_core.x-authentik-groups"
|
||||
|
||||
---
|
||||
# Outpost configuration for forward auth
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: authentik-devcontainer-outpost-config
|
||||
namespace: authentik
|
||||
data:
|
||||
outpost.yaml: |
|
||||
name: devcontainer-forward-auth-outpost
|
||||
type: proxy
|
||||
providers:
|
||||
- devcontainer-forward-auth-provider
|
||||
|
||||
# Outpost configuration
|
||||
config:
|
||||
authentik_host: https://auth.farh.net
|
||||
authentik_host_insecure: false
|
||||
authentik_host_browser: https://auth.farh.net
|
||||
|
||||
# Log level for debugging
|
||||
log_level: info
|
||||
|
||||
# Cookie settings
|
||||
cookie_domain: .farh.net
|
||||
cookie_secure: true
|
||||
|
||||
# NGINX ingress integration
|
||||
external_host: https://devcontainer.farh.net
|
||||
internal_host: http://authentik.authentik.svc.cluster.local
|
||||
|
||||
# Forward auth specific settings
|
||||
mode: forward_single
|
||||
skip_path_regex: "^/(health|metrics)$" # Skip auth for health checks
|
||||
|
||||
---
|
||||
# Example NGINX Ingress annotations for reference
|
||||
# (These go in the main ingress resource)
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: authentik-nginx-annotations
|
||||
namespace: devcontainers
|
||||
data:
|
||||
annotations.yaml: |
|
||||
# Forward auth configuration
|
||||
nginx.ingress.kubernetes.io/auth-url: http://authentik.authentik.svc.cluster.local/outpost.goauthentik.io/auth/nginx
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://auth.farh.net/outpost.goauthentik.io/start?rd=$escaped_request_uri
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: X-Authentik-Username,X-Authentik-Groups,X-Authentik-Email,X-Authentik-Name
|
||||
nginx.ingress.kubernetes.io/auth-snippet: |
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
|
||||
# Additional headers for the application
|
||||
nginx.ingress.kubernetes.io/server-snippet: |
|
||||
location ~ ^/github/([^/]+/[^/]+) {
|
||||
# Log the GitHub repo being accessed
|
||||
access_log /var/log/nginx/devcontainer-access.log combined;
|
||||
|
||||
# Set additional headers for audit/monitoring
|
||||
proxy_set_header X-GitHub-Repo-Requested https://github.com/$1;
|
||||
proxy_set_header X-Request-Timestamp $time_iso8601;
|
||||
proxy_set_header X-Client-IP $remote_addr;
|
||||
}
|
||||
|
||||
---
|
||||
# Policy for controlling access (optional - can be configured via Authentik UI)
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: authentik-devcontainer-policies
|
||||
namespace: authentik
|
||||
data:
|
||||
# Example group-based access policy
|
||||
group-access-policy.yaml: |
|
||||
name: DevContainer Access Policy
|
||||
policy_type: group_membership
|
||||
groups:
|
||||
- developers
|
||||
- devops
|
||||
- admins
|
||||
|
||||
# Example expression policy for advanced access control
|
||||
repo-access-policy.yaml: |
|
||||
name: Repository Access Policy
|
||||
policy_type: expression
|
||||
expression: |
|
||||
# Allow access to public repositories for all authenticated users
|
||||
# Require specific groups for private repositories
|
||||
|
||||
github_repo = request.http_request.headers.get('X-GitHub-Repo', '')
|
||||
|
||||
# Check if user has access to private repositories
|
||||
if 'private-repo-access' in user.ak_groups.values_list('name', flat=True):
|
||||
return True
|
||||
|
||||
# For now, allow all authenticated users to access any repository
|
||||
# You can customize this based on your needs
|
||||
return True
|
||||
|
||||
---
|
||||
# Service Monitor for Prometheus (optional)
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: authentik-devcontainer-monitoring
|
||||
namespace: authentik
|
||||
data:
|
||||
servicemonitor.yaml: |
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: devcontainer-authentik
|
||||
namespace: authentik
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: authentik
|
||||
endpoints:
|
||||
- port: http
|
||||
interval: 30s
|
||||
path: /metrics
|
||||
Reference in New Issue
Block a user